Question posted in 
I developed an online payment gateway, which normally loads in an iframe. Now, the iframe src is not loading in its cPanel environment (Linux server).
I checked the firewall deny IP sections, but the IP is not blacklisted by the server. Any ideas?
I developed an online payment gateway, which normally loads in an iframe. Now, the iframe src is not loading in its cPanel environment (Linux server).
I checked the firewall deny IP sections, but the IP is not blacklisted by the server. Any ideas?
2
Answers
Examine the HTTP Headers being returned from the request, for this header:
X-Frame-Options:
If the site has introduced this header with a value like:
X-Frame-Options: SAMEORIGIN
it will prevent the browser from loading an iframe from a different domain. Note that not all browsers make use of this header in the same way:
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Browser_Support
So simply asking the admins to add your domain to the header with:
x-frame-options: ALLOW-FROM proto://your-payment.domain
is not full solution for Chrome/Safari clients. It would appear you will also need a special CSP bypass in that case. The hosting group would need to add some content security policy to their site to allow your specific frame ancestor:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
If this is not the issue, perhaps post more HTTP information related to the information flow.
Are both the page and iframe source https? An http page will not load an https iframe.